CN112995195B - Abnormal behavior prediction method and device - Google Patents

Abnormal behavior prediction method and device Download PDF

Info

Publication number
CN112995195B
CN112995195B CN202110285550.2A CN202110285550A CN112995195B CN 112995195 B CN112995195 B CN 112995195B CN 202110285550 A CN202110285550 A CN 202110285550A CN 112995195 B CN112995195 B CN 112995195B
Authority
CN
China
Prior art keywords
sample data
data
determining
time parameter
behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110285550.2A
Other languages
Chinese (zh)
Other versions
CN112995195A (en
Inventor
张伟坤
徐翰隆
肖新光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Antiy Network Technology Co Ltd
Original Assignee
Beijing Antiy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Antiy Network Technology Co Ltd filed Critical Beijing Antiy Network Technology Co Ltd
Priority to CN202110285550.2A priority Critical patent/CN112995195B/en
Publication of CN112995195A publication Critical patent/CN112995195A/en
Application granted granted Critical
Publication of CN112995195B publication Critical patent/CN112995195B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to an abnormal behavior prediction method and device, wherein the method comprises the following steps: acquiring sample data of a user; the sample data comprises historical behavior data with preset duration; decomposing the sample data to obtain a time parameter; the time parameter is used for representing the change rule of the sample data according to the time sequence; determining a target regression model according to the time parameter; predicting the current behavior data of the user by using the target regression model to obtain a prediction result corresponding to the current behavior data; judging whether the prediction result is located in a confidence interval of the sample data; and if not, determining that the current behavior data is abnormal behavior. The scheme can determine abnormal behaviors to realize detection of unknown threats.

Description

Abnormal behavior prediction method and device
Technical Field
The invention relates to the technical field of network security, in particular to an abnormal behavior prediction method and device.
Background
With the evolution of network security threat forms, when defending the traditional known threats, the traditional endpoint security products mainly identify malicious software or the abstract information marks of attacks or characteristic information, however, at present, the traditional method based on the characteristic information must definitely suffer the definition of network security intrusion in advance to identify the intrusion, that is, the traditional method for detecting the malicious software depends on discovering the intrusion index. Therefore, for unrecognized completely new malware or unknown threats, the network threat can be caused because abnormal behaviors can not be detected, and defense and tracing cannot be performed in time.
In view of the above, it is desirable to provide an abnormal behavior prediction method and apparatus to solve the above disadvantages.
Disclosure of Invention
The invention aims to solve the technical problem of how to determine abnormal behaviors to realize detection of unknown threats, and provides a method and a device for predicting the abnormal behaviors aiming at the defects in the prior art.
In order to solve the above technical problem, in a first aspect, the present invention provides an abnormal behavior prediction method, including:
acquiring sample data of a user; the sample data comprises historical behavior data with preset duration;
decomposing the sample data to obtain a time parameter; the time parameter is used for representing the change rule of the sample data according to the time sequence;
determining a target regression model according to the time parameter;
predicting the current behavior data of the user by using the target regression model to obtain a prediction result corresponding to the current behavior data;
judging whether the current behavior data accords with the prediction result;
and if not, determining that the current behavior data is abnormal behavior.
Optionally, decomposing the sample data to obtain a time parameter includes:
decomposing the sample data according to seasonal factors, and determining a first time parameter according to the decomposed sample data;
and decomposing the sample data according to a periodic factor, and determining a second time parameter according to the decomposed sample data.
Optionally, the determining a target regression model according to the time parameter includes:
creating an autoregressive moving average model;
determining the first time parameter as a moving average order of the autoregressive moving average model;
determining the second time parameter as an autoregressive parameter of the autoregressive moving average model;
and determining the target regression model according to the moving average order and the autoregressive parameter.
Optionally, after the obtaining of the sample data of the user, before the decomposing the sample data to obtain the time parameter, the method further includes:
carrying out mean value operation on the sample data to obtain a mean value corresponding to the sample data;
performing standard deviation operation on the sample data to obtain a standard deviation corresponding to the sample data;
performing standard error operation on the sample data to obtain a standard error corresponding to the sample data;
calculating according to a preset confidence degree, the mean value, the standard deviation and the standard error to obtain a confidence interval corresponding to the sample data; wherein the time parameter is obtained by decomposing the confidence interval.
Optionally, the predicting the current behavior data of the user by using the target regression model includes:
determining the time for acquiring the current behavior data of the user as predicted time;
and predicting the behavior data of the sample data at the prediction time by using the target regression model.
Optionally, after the determining that the current behavior data is abnormal behavior, the method further includes:
analyzing the current behavior data determined to be abnormal behavior according to a preset rule, and determining the reason of the abnormal behavior;
generating alarm information according to the reason of the abnormal behavior, and sending the alarm information to the user; wherein the alarm information is used to indicate that the current behavior data has been determined to be abnormal behavior and the reason for the abnormal behavior.
In a second aspect, the present invention further provides an abnormal behavior prediction apparatus, including:
the acquisition module is used for acquiring sample data of a user; the sample data comprises historical behavior data with preset duration;
the decomposition module is used for decomposing the sample data acquired by the acquisition module to obtain a time parameter; the time parameter is used for representing the change rule of the sample data according to the time sequence;
a model determination module for determining a target regression model based on the time parameter obtained by the decomposition module;
the prediction module is used for predicting the current behavior data of the user by using the target regression model determined by the model determination module so as to obtain a prediction result corresponding to the current behavior data;
and the judging module is used for judging whether the current behavior data acquired by the acquiring module accords with the prediction result acquired by the predicting module, and if not, determining that the current behavior data is abnormal behavior.
Optionally, the decomposition module is further configured to perform the following operations:
decomposing the sample data according to seasonal factors, and determining a first time parameter according to the decomposed sample data;
and decomposing the sample data according to a periodic factor, and determining a second time parameter according to the decomposed sample data.
In a third aspect, the present invention further provides an abnormal behavior prediction apparatus, including: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to execute the abnormal behavior prediction method provided by the first aspect or any possible implementation manner of the first aspect.
In a fourth aspect, the present invention further provides a computer-readable medium, on which computer instructions are stored, and when executed by a processor, the computer instructions cause the processor to execute the abnormal behavior prediction method provided in the first aspect or any possible implementation manner of the first aspect.
The method includes the steps of firstly obtaining sample data of historical behavior data of a user, decomposing the sample data to obtain a time parameter, determining a target regression model according to the time parameter, predicting current behavior data of the user by using the determined target regression model to obtain a corresponding prediction result, and determining the current behavior data as abnormal behavior when the current behavior data does not accord with the prediction result to determine that unknown threats are detected. Therefore, the current behavior data of the user is predicted through the target regression model, whether the current behavior data are abnormal behaviors or not can be determined, and whether the current behavior data are subjected to network security intrusion or unknown threats or not can be determined. The behavior analysis mode different from that of conventional software is detected by adopting abnormal behavior detection, so that the malicious behavior of the software can be pre-warned before irreparable damage is caused on the premise of completely not needing prepared threat characteristic information, and the detection of unknown threats can be realized through the abnormal behavior.
Drawings
Fig. 1 is a method for predicting abnormal behavior according to an embodiment of the present invention;
FIG. 2 is a block diagram of another abnormal behavior prediction method provided by an embodiment of the present invention;
fig. 3 is a schematic diagram of a device where an abnormal behavior prediction apparatus according to an embodiment of the present invention is located;
fig. 4 is a schematic diagram of an abnormal behavior prediction apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
As shown in fig. 1, an abnormal behavior prediction method provided in an embodiment of the present invention includes the following steps:
step 101: acquiring sample data of a user; the sample data comprises historical behavior data with preset duration;
step 102: decomposing the sample data to obtain a time parameter; the time parameter is used for representing the change rule of the sample data according to the time sequence;
step 103: determining a target regression model according to the time parameter;
step 104: predicting the current behavior data of the user by using a target regression model to obtain a prediction result corresponding to the current behavior data;
step 105: judging whether the current behavior data accords with a prediction result;
step 106: if not, determining that the current behavior data is abnormal behavior.
In the embodiment of the invention, the method comprises the steps of firstly obtaining sample data of a user, wherein the sample data comprises historical behavior data with preset duration, decomposing the sample data to obtain a time parameter, determining a target regression model according to the time parameter, predicting the current behavior data of the user by using the determined target regression model to obtain a corresponding prediction result, and determining the current behavior data as an abnormal behavior to determine that an unknown threat is detected when the current behavior data does not accord with the prediction result. Therefore, the current behavior data of the user is predicted through the target regression model, whether the current behavior data are abnormal behaviors or not can be determined, and whether the current behavior data are subjected to network security intrusion or unknown threats or not can be determined. The behavior analysis mode different from that of conventional software is detected by adopting abnormal behavior detection, so that the malicious behavior of the software can be pre-warned before irreparable damage is caused on the premise of completely not needing prepared threat characteristic information, and the detection of unknown threats can be realized through the abnormal behavior.
In the embodiment of the invention, the user can be a user side, different users correspond to different application scenes, and abnormal behavior prediction can be performed aiming at the application scenes of specific users so as to realize detection of unknown threats.
In the embodiment of the invention, the acquired sample data of the user is historical behavior data acquired after quantifiable processing is carried out on the user behavior, and the sample data is effective data acquired after preprocessing. Specifically, the preprocessing includes denoising the original historical behavior data, determining whether the original historical behavior data is continuous, and if not, filling the missing behavior data in the original historical behavior data. For example, the filling may be performed by a cubic exponential smoothing method, wherein the cubic exponential smoothing method uses the following formula:
Figure BDA0002980302480000061
wherein i is used for representing the date and time of each data in the sample data, h is used for representing the interval duration between the date and time corresponding to the missing data and the date and time of each data, i + h is used for representing the date and time corresponding to the missing data, and y is i+h Is used for characterizing the missing data corresponding to the predicted date and time,
Figure BDA0002980302480000062
the method is used for representing the predicted value of the t +1 period obtained by the first exponential smoothing method;
Figure BDA0002980302480000063
a trend factor for characterizing the sample data,
Figure BDA0002980302480000064
and k is used for representing the period length corresponding to the seasonal factor.
In the embodiment of the invention, if the current behavior data is judged to be in accordance with the prediction result, the current behavior data is determined to be not abnormal behavior, and the current user is not subjected to unknown threat.
Optionally, in the abnormal behavior prediction method shown in fig. 1, decomposing the sample data in step 102 to obtain a time parameter includes:
decomposing the sample data according to seasonal factors, and determining a first time parameter according to the decomposed sample data;
and decomposing the sample data according to the period factor, and determining a second time parameter according to the decomposed sample data.
In the embodiment of the invention, the sample data of the user can be split on the time sequence, and can be predicted in the dimensions of seasonal behavior, behavior period, behavior trend, behavior randomness and the like. Specifically, the sample data is decomposed according to the seasonal factor and the periodic factor, a first time parameter (namely, a seasonal length) and a second time parameter (namely, a periodic length) can be determined according to the decomposed sample data, and a change rule of the sample data according to the time sequence is determined. In this way, the seasonal variation and the periodic variation of the sample data on the time series are comprehensively considered, wherein the seasonal variation describes the periodic fluctuation of the data along with the seasonal variation, and the periodic variation describes the variation period of the data, which is different from the seasonal variation, for example, a period of a week or a year, so that the variation rule of the sample data can be reflected more accurately, and the prediction result can be determined more accurately according to the variation rule of the sample data along with the time series.
Alternatively, in the abnormal behavior prediction method shown in fig. 1, determining a target regression model according to the time parameter in step 103 includes:
creating an autoregressive moving average model;
determining the first time parameter as a moving average order of the autoregressive moving average model;
determining the second time parameter as an autoregressive parameter of the autoregressive moving average model;
and determining a target regression model according to the moving average order and the autoregressive parameters.
The target regression model is an autoregressive integrated moving average model (ARIMA).
In the embodiment of the invention, after the autoregressive moving average model is created, the moving average order and the autoregressive parameter in the model can be determined according to the time parameter, and finally the target regression model corresponding to the sample data of the current user is determined, so that the prediction accuracy of the target regression model is improved. Specifically, in the ARIMA model, AR is autoregressive, P is an autoregressive parameter, and correspondingly, is a second time parameter, i.e., a cycle length; MA is moving average, S is moving average order, and is corresponding to a first time parameter, namely season length.
Optionally, in the abnormal behavior prediction method shown in fig. 1, after obtaining sample data of a user in step 101, before decomposing the sample data in step 102 to obtain a time parameter, the method further includes:
carrying out mean value operation on the sample data to obtain a mean value of the corresponding sample data;
carrying out standard deviation operation on the sample data to obtain the standard deviation of the corresponding sample data;
performing standard error operation on the sample data to obtain a standard error of the corresponding sample data;
calculating according to preset confidence, mean, standard deviation and standard error to obtain confidence intervals of corresponding sample data; wherein the time parameter is obtained by decomposing the confidence interval.
In the embodiment of the present invention, after obtaining the sample data of the user, further determining a confidence interval of the sample data. Specifically, first, the sample data (X = (X)) 1 ,x 2 ,...,x n ) Mean value operation, standard deviation operation and standard error operation are sequentially performed, confidence degree (for example, 95%) is preset, and a confidence interval is determined according to a confidence interval formula. Therefore, the accuracy and the credibility of the prediction result can be ensured through the confidence interval.
Wherein, the mean value calculation formula is:
Figure BDA0002980302480000081
the standard deviation is calculated as:
Figure BDA0002980302480000082
the standard error calculation formula is:
Figure BDA0002980302480000083
the calculation formula of the confidence interval is as follows: pr (c 1 is not less than u is not more than c 2) = 1-alpha;
at a preset confidence of 95%, the resulting confidence interval was (μ -f 1.96, μ + f 1.96).
In the embodiment of the present invention, after the confidence interval is determined, sample data is decomposed to obtain a time parameter, a data matrix may be drawn through a Python time series library PyFlux, and seasonal and periodic changes of the sample data of the user in the obtained confidence interval are determined to obtain a corresponding time parameter: period length P and season length S.
In the embodiment of the invention, the target regression model comprises the confidence interval added with the period length and the seasonal length, so that the confidence interval is enriched to have the seasonal period and the time period and is more consistent with the user data with periodicity and seasonality, and the target regression model can more accurately obtain the prediction result of the corresponding prediction time, thereby accurately realizing the prediction of the abnormal behavior which is not consistent with the confidence interval.
Optionally, in the abnormal behavior prediction method shown in fig. 1, the step 104 of predicting the current behavior data of the user by using the target regression model includes:
determining the time for acquiring the current behavior data of the user as the predicted time;
and predicting the behavior data of the sample data at the prediction time by using the target regression model.
In the embodiment of the present invention, when predicting the current behavior data of the user by using the target regression model, the current behavior data of the user is obtained first, and the time for obtaining the current behavior data is recorded as the prediction time, and the prediction time is input in the target regression model to predict the behavior data at the prediction time, so as to obtain the prediction result corresponding to the prediction time.
In the embodiment of the invention, when the acquired current behavior data of the user is judged not to accord with the prediction result, namely the current behavior data is not positioned in the confidence interval corresponding to the prediction time, the current behavior data is determined to be abnormal behavior, namely the current user suffers from unknown threat, and the detection of the unknown threat is realized.
Optionally, in a method for predicting abnormal behavior shown in fig. 1, after determining that the current behavior data is abnormal behavior in step 106, the method further includes:
analyzing the current behavior data determined to be abnormal behavior according to a preset rule, and determining the reason of the abnormal behavior;
generating alarm information according to the reason of the abnormal behavior, and sending the alarm information to the user; the alarm information is used for indicating that the current behavior data is determined to be abnormal behavior and the reason of the abnormal behavior.
In the embodiment of the invention, after the current behavior data is determined to be the abnormal behavior, the current behavior data determined to be the abnormal behavior can be analyzed according to the preset rule and the prediction result to determine the reason of the abnormal behavior, namely, whether the current behavior data does not accord with the periodic variation or the seasonal variation is judged, the alarm information is generated, and meanwhile, the alarm information is sent to the user, so that the user can defend or trace the network attack in time according to the alarm information, and the network security is maintained.
In order to more clearly illustrate the technical solution and advantages of the present invention, as shown in fig. 2, the following describes in detail an abnormal behavior prediction method provided by an embodiment of the present invention, which specifically includes:
step 201: and acquiring sample data of a user.
Specifically, original historical behavior data of a user is obtained, and sample data corresponding to the user is obtained after quantization and preprocessing, wherein the sample data comprises historical behavior data with preset duration.
Step 202: a confidence interval corresponding to the sample data is determined.
Specifically, performing mean operation on the sample data to obtain a mean value corresponding to the sample data;
carrying out standard deviation operation on the sample data to obtain the standard deviation of the corresponding sample data;
performing standard error operation on the sample data to obtain a standard error of the corresponding sample data;
calculating according to preset confidence, mean, standard deviation and standard error to obtain a confidence interval of corresponding sample data; wherein the time parameter is obtained by decomposing the confidence interval.
Step 203: and decomposing the sample data to obtain a time parameter.
Specifically, after the confidence interval is determined, sample data is decomposed to obtain a time parameter, a data matrix can be drawn through a Python time series library PyFlux, and seasonal and periodic changes of the sample data of the user in the obtained confidence interval are determined to obtain a corresponding time parameter: period length P and season length S.
Step 204: and determining a target regression model according to the time parameters.
Specifically, an autoregressive moving average model is created;
determining the first time parameter as a moving average order of the autoregressive moving average model;
determining the second time parameter as an autoregressive parameter of an autoregressive moving average model;
determining a target regression model according to the moving average order and the autoregressive parameters; wherein the target regression model comprises confidence intervals with the addition of a period length and a season length.
Step 205: and predicting the current behavior data of the user by using the target regression model to obtain a prediction result corresponding to the current behavior data.
Specifically, current behavior data of a user are obtained, and the time for obtaining the current behavior data of the user is determined as prediction time; and predicting the behavior data of the sample data at the prediction time by using the target regression model to obtain a prediction result corresponding to the current behavior data.
Step 206: and judging whether the current behavior data accords with the prediction result.
Specifically, if not, that is, when the current behavior data is not located in the confidence interval corresponding to the prediction time, it is determined that the current behavior data is an abnormal behavior.
Step 207: and sending the alarm information to the user.
Specifically, after the current behavior data are determined to be abnormal behaviors, analyzing the current behavior data determined to be the abnormal behaviors according to a preset rule, and determining the reason of the abnormal behaviors;
generating alarm information according to the reason of the abnormal behavior, and sending the alarm information to the user; the alarm information is used for indicating that the current behavior data is determined to be abnormal behavior and the reason of the abnormal behavior.
As shown in fig. 3 and 4, an abnormal behavior prediction apparatus is provided in an embodiment of the present invention. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware level, as shown in fig. 3, a hardware structure diagram of a device in which an abnormal behavior prediction apparatus according to an embodiment of the present invention is located is shown, where in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the device in which the apparatus is located in the embodiment may also include other hardware, such as a forwarding chip responsible for processing a packet. Taking a software implementation as an example, as shown in fig. 4, as a logical apparatus, the apparatus is formed by reading a corresponding computer program instruction in a non-volatile memory into a memory by a CPU of a device in which the apparatus is located and running the computer program instruction. The present embodiment provides an abnormal behavior prediction apparatus, including:
an obtaining module 401, configured to obtain sample data of a user; the sample data comprises historical behavior data with preset duration;
a decomposition module 402, configured to decompose the sample data acquired by the acquisition module 401 to obtain a time parameter; the time parameter is used for representing the change rule of the sample data according to the time sequence;
a model determining module 403, configured to determine a target regression model according to the time parameter obtained by the decomposition module 402;
a prediction module 404, configured to predict current behavior data of the user by using the target regression model determined by the model determination module 403, so as to obtain a prediction result corresponding to the current behavior data;
a determining module 405, configured to determine whether the current behavior data acquired by the acquiring module 401 meets the prediction result acquired by the predicting module 404, and if not, determine that the current behavior data is an abnormal behavior.
Optionally, on the basis of an abnormal behavior prediction apparatus shown in fig. 4, the decomposition module 402 is further configured to perform the following operations:
decomposing the sample data according to seasonal factors, and determining a first time parameter according to the decomposed sample data;
and decomposing the sample data according to the period factor, and determining a second time parameter according to the decomposed sample data.
Optionally, on the basis of an abnormal behavior prediction apparatus shown in fig. 4, the model determining module 403 is further configured to perform the following operations:
creating an autoregressive moving average model;
determining the first time parameter as a moving average order of the autoregressive moving average model;
determining the second time parameter as an autoregressive parameter of an autoregressive moving average model;
and determining a target regression model according to the moving average order and the autoregressive parameters.
Optionally, on the basis of an abnormal behavior prediction apparatus shown in fig. 4, the apparatus further includes: an operation module for performing the following operations:
carrying out mean value operation on the sample data to obtain a mean value of the corresponding sample data;
carrying out standard deviation operation on the sample data to obtain the standard deviation of the corresponding sample data;
performing standard error operation on the sample data to obtain a standard error corresponding to the sample data;
calculating according to preset confidence, mean, standard deviation and standard error to obtain a confidence interval of corresponding sample data; wherein the time parameter is obtained by decomposing the confidence interval.
Optionally, on the basis of an abnormal behavior prediction apparatus shown in fig. 4, the prediction module 404 is further configured to perform the following operations:
predicting the current behavior data of the user by using a target regression model, wherein the prediction comprises the following steps:
determining the time for acquiring the current behavior data of the user as the predicted time;
and predicting the behavior data of the sample data at the prediction time by using the target regression model.
Optionally, on the basis of an abnormal behavior prediction apparatus shown in fig. 4, the apparatus further includes: an alarm module for performing the following operations:
analyzing the current behavior data determined to be abnormal behavior according to a preset rule, and determining the reason of the abnormal behavior;
generating alarm information according to the reason of the abnormal behavior, and sending the alarm information to a user; the alarm information is used for indicating that the current behavior data is determined to be abnormal behavior and the reason of the abnormal behavior.
It is to be understood that the illustrated structure of the embodiment of the present invention does not specifically limit an abnormal behavior prediction apparatus. In other embodiments of the invention, an abnormal behavior prediction apparatus may include more or fewer components than shown, or some components may be combined, some components may be separated, or a different arrangement of components may be used. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the present invention further provides an abnormal behavior prediction apparatus, including: at least one memory area and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor is configured to invoke the machine readable program to perform a method for predicting abnormal behavior according to any of the embodiments of the present invention.
An embodiment of the present invention further provides a computer-readable medium, where a computer instruction is stored on the computer-readable medium, and when the computer instruction is executed by a processor, the processor is caused to execute a method for predicting abnormal behavior according to any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (7)

1. An abnormal behavior prediction method, comprising:
acquiring sample data of a user; the sample data comprises historical behavior data with preset duration;
carrying out mean value operation on the sample data to obtain a mean value corresponding to the sample data;
performing standard deviation operation on the sample data to obtain a standard deviation corresponding to the sample data;
performing standard error operation on the sample data to obtain a standard error corresponding to the sample data;
calculating according to a preset confidence degree, the mean value, the standard deviation and the standard error to obtain a confidence interval corresponding to the sample data;
decomposing the sample data to obtain a time parameter; the time parameter is used for representing the change rule of the sample data according to the time sequence;
determining a target regression model according to the time parameter; the target regression model comprises a confidence interval added with a period length and a season length;
predicting the current behavior data of the user by using the target regression model to obtain a prediction result corresponding to the current behavior data;
judging whether the current behavior data accords with the prediction result;
if not, determining that the current behavior data is abnormal behavior;
the decomposing the sample data to obtain a time parameter includes:
decomposing the sample data according to seasonal factors, and determining a first time parameter according to the decomposed sample data;
and decomposing the sample data according to a periodic factor, and determining a second time parameter according to the decomposed sample data.
2. The method of claim 1, wherein determining a target regression model based on the time parameter comprises:
creating an autoregressive moving average model;
determining the first time parameter as a moving average order of the autoregressive moving average model;
determining the second time parameter as an autoregressive parameter of the autoregressive moving average model;
and determining the target regression model according to the moving average order and the autoregressive parameter.
3. The method of claim 1, wherein the predicting the current behavior data of the user using the target regression model comprises:
determining the time for acquiring the current behavior data of the user as predicted time;
and predicting the behavior data of the sample data at the prediction time by using the target regression model.
4. The method according to any one of claims 1 to 3, wherein after the determining that the current behavior data is abnormal behavior, further comprising:
analyzing the current behavior data determined to be abnormal behavior according to a preset rule, and determining the reason of the abnormal behavior;
generating alarm information according to the reason of the abnormal behavior, and sending the alarm information to the user; wherein the alarm information is used to indicate that the current behavior data has been determined to be abnormal behavior and the reason for the abnormal behavior.
5. An abnormal behavior prediction apparatus, comprising:
the acquisition module is used for acquiring sample data of a user; the sample data comprises historical behavior data with preset duration;
an operation module, configured to perform the following operations: carrying out mean value operation on the sample data to obtain a mean value of the corresponding sample data; carrying out standard deviation operation on the sample data to obtain the standard deviation of the corresponding sample data; performing standard error operation on the sample data to obtain a standard error corresponding to the sample data; calculating according to preset confidence, mean, standard deviation and standard error to obtain a confidence interval of corresponding sample data;
the decomposition module is used for decomposing the sample data acquired by the acquisition module to obtain a time parameter; the time parameter is used for representing the change rule of the sample data according to the time sequence;
a model determination module for determining a target regression model based on the time parameter obtained by the decomposition module; the target regression model comprises a confidence interval added with a period length and a season length;
the prediction module is used for predicting the current behavior data of the user by using the target regression model determined by the model determination module so as to obtain a prediction result corresponding to the current behavior data;
a judging module, configured to judge whether the current behavior data acquired by the acquiring module matches the prediction result acquired by the predicting module, and if not, determine that the current behavior data is an abnormal behavior;
the decomposition module is further configured to perform the following operations:
decomposing the sample data according to seasonal factors, and determining a first time parameter according to the decomposed sample data;
and decomposing the sample data according to a periodic factor, and determining a second time parameter according to the decomposed sample data.
6. An abnormal behavior prediction apparatus, comprising: at least one memory and at least one processor;
the at least one memory to store a machine readable program;
the at least one processor, configured to invoke the machine readable program to perform the method of any of claims 1 to 4.
7. Computer readable medium, characterized in that it has stored thereon computer instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 4.
CN202110285550.2A 2021-03-17 2021-03-17 Abnormal behavior prediction method and device Active CN112995195B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110285550.2A CN112995195B (en) 2021-03-17 2021-03-17 Abnormal behavior prediction method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110285550.2A CN112995195B (en) 2021-03-17 2021-03-17 Abnormal behavior prediction method and device

Publications (2)

Publication Number Publication Date
CN112995195A CN112995195A (en) 2021-06-18
CN112995195B true CN112995195B (en) 2023-01-31

Family

ID=76334234

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110285550.2A Active CN112995195B (en) 2021-03-17 2021-03-17 Abnormal behavior prediction method and device

Country Status (1)

Country Link
CN (1) CN112995195B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114254307A (en) * 2021-12-08 2022-03-29 安天科技集团股份有限公司 Terminal timing sequence characteristic detection method, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110377491A (en) * 2019-07-10 2019-10-25 中国银联股份有限公司 A kind of data exception detection method and device
CN110377447A (en) * 2019-07-17 2019-10-25 腾讯科技(深圳)有限公司 A kind of abnormal deviation data examination method, device and server
CN111860897A (en) * 2020-08-05 2020-10-30 青岛特来电新能源科技有限公司 Abnormity detection method, device, equipment and computer readable storage medium
CN112685273A (en) * 2020-12-29 2021-04-20 京东数字科技控股股份有限公司 Anomaly detection method and device, computer equipment and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150127595A1 (en) * 2013-11-01 2015-05-07 Numenta, Inc. Modeling and detection of anomaly based on prediction
CN111130940A (en) * 2019-12-26 2020-05-08 众安信息技术服务有限公司 Abnormal data detection method and device and server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110377491A (en) * 2019-07-10 2019-10-25 中国银联股份有限公司 A kind of data exception detection method and device
CN110377447A (en) * 2019-07-17 2019-10-25 腾讯科技(深圳)有限公司 A kind of abnormal deviation data examination method, device and server
CN111860897A (en) * 2020-08-05 2020-10-30 青岛特来电新能源科技有限公司 Abnormity detection method, device, equipment and computer readable storage medium
CN112685273A (en) * 2020-12-29 2021-04-20 京东数字科技控股股份有限公司 Anomaly detection method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN112995195A (en) 2021-06-18

Similar Documents

Publication Publication Date Title
CN111400719B (en) Firmware vulnerability distinguishing method and system based on open source component version identification
CN110602029B (en) Method and system for identifying network attack
CN107454103B (en) Network security event process analysis method and system based on time line
EP2975873A1 (en) A computer implemented method for classifying mobile applications and computer programs thereof
CN117220978B (en) Quantitative evaluation system and evaluation method for network security operation model
CN112866292B (en) Attack behavior prediction method and device for multi-sample combination attack
JP2010097342A (en) Malfunction detection device and program
CN112995195B (en) Abnormal behavior prediction method and device
CN115174205B (en) Network space safety real-time monitoring method, system and computer storage medium
CN112149907A (en) Sample data prediction method, device and computer readable medium
JP2016099857A (en) Fraudulent program handling system and fraudulent program handling method
CN113434860A (en) Virus detection method and device, computing equipment and storage medium
CN113886829A (en) Method and device for detecting defect host, electronic equipment and storage medium
CN117973347A (en) Automatic traceability report automatic generation method and system based on automatic template filling technology
JP2008140100A (en) Information processor, data determination method and program
CN116846612A (en) Attack chain completion method and device, electronic equipment and storage medium
CN104035866B (en) The software action appraisal procedure and device of analysis are called based on system
CN112822220B (en) Multi-sample combination attack-oriented tracing method and device
CN114205146B (en) Processing method and device for multi-source heterogeneous security log
JP5135803B2 (en) Optimal parameter search program, optimal parameter search device, and optimal parameter search method
CN106446687B (en) Malicious sample detection method and device
CN115114676A (en) Remote webpage tampering monitoring method, system, equipment and storage medium
CN112003824B (en) Attack detection method and device and computer readable storage medium
Cherubin et al. Exchangeability martingales for selecting features in anomaly detection
CN118094255B (en) Method, device, equipment and storage medium for identifying filter function

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant